Using current methods, a mobile user must undertake several steps to access a corporate office network from a remote wireless LAN (WLAN) site (such as from an airport). These include first authenticating to an access network on the site (such as a WLAN) to gain IP connectivity, and thereafter authenticating to a corporate remote access gateway (such as a firewall, an IPsec gateway, etc) to establish an office network connection. Upon successfully authenticating to the remote network, the mobile user can then initiate network applications that require access to resources on the office network. If the mobile user subsequently moves to another site thereby discontinuing the prior IP connection, the user is then forced to go another time-consuming procedure to set up the connection to the office network through a new access network, and may have to shut down and restart all networking application programs.
This procedure is inconvenient to mobile users in a variety of ways. First, a mobile user who seeks access to the targeted office network via a plurality of access networks must have valid accounts at each of these access networks, and needs to remember or possess authentication credentials (username, password, security certificate, etc.) for each of these access accounts. Second, the mobile user must have knowledge of the authentication method that is being implemented in each access network. Third, the mobile user has to determine which current access network is being utilized in order to implement the authentication method required by this access network, and has to submit the authentication credentials accordingly. These tasks can create tremendous problems for mobile users who are not networking professionals. In addition, this procedure can cause serious security problems. For example, currently public WLAN operators often use a Web-based username/password pair for the authentication method. Accordingly, a “look-over-shoulder” crook can easily steal them from a naïve user working in public. An irresponsible user might share his or her credentials with others, and a careless user might leave them in an obvious place on the portable device (laptop, PDA, etc.). The obvious consequence is theft of service from public WLAN operators, and a potential security breach for the user's corporate office network.
One well-known approach for streamlining authentication is known as Kerberos, a mutual authentication method between two parties that each shares a secret with a trustful third party. Using the Kerberos method in the scenario of remote mobile access, either the mobile host or the authentication server in the access network needs to retrieve a ticket in real time from the authentication server in the mobile's home network. Using the ticket that contains a session key encrypted using two shared secrets respectively, the mobile host and the access network can authenticate to each other and then the mobile host can get the access service.
Another well-known authentication protocol on the Internet is referred to as RADIUS (Remote Access for Dial-Up Services). With the enhancement of EAP (Extensible Authentication Protocol), it supports many authentication algorithms and it provides a relay mechanism such that a remote user can be authenticated to an access network using a RADIUS server that relays the authentication protocol to the RADIUS server in the mobile's home network in real time.
Passport is an application-layer authentication method for e-commerce. After a Web user is authenticated to a Passport server, his e-commerce profile (including credit card number, mail address, etc) is automatically transferred to an e-commerce Web server that partners with the Passport server so that the Web user does not need to re-create his e-commerce profile everywhere. However, neither Passport nor other similar application-layer single-sign on methods are designed and therefore appropriate for remote mobile access.